If you use email notification, configure authenticated access to the SMTP mail server.

Whenever possible, use a mail server that supports authenticated access and use the computer account of the site server for authentication. If you must specify a user account for authentication, use an account that has the least privileges.

Ensure that end users do not have local administrative privileges.

Although it is always a security best practice to grant end users the least privileges that they need and not to grant them local administrative privileges, this is especially important for Endpoint Protection. When users have local administrative rights on computers that run the Endpoint Protection client, they might be able to do the following:

They can delete the reported instances of malware on their computer before this information is sent to Configuration Manager. Information about malware detection is collected and sent to the Configuration Manager site every five minutes. It is possible for a local administrator to delete the information on their computer that malware was detected, and if this happens within the five minutes, Configuration Manager will have no information about the detected malware.

They can uninstall the Endpoint Protection client or stop dependent services. Although Configuration Manager can detect that the Endpoint Protection is no longer installed and will automatically reinstall it, and client status can restart a stopped service and set it back to automatic, this still leaves a potential window of vulnerability when the computer is unprotected by Endpoint Protection.

Email notification uses SMTP, which is a protocol that lacks security protection.

When you use email notification for Endpoint Protection, this can be a convenient method to quickly learn about the malware that is detected on computers so that you can take remedial action as soon as possible. However, before you enable notifications by using email, consider the advantages and disadvantages according to your security risk profile and infrastructure capacity. For example, anybody can send email from your specified sender address and tamper with the message. In addition, an attacker could flood the network and email server with spoofed emails that appear to come from Configuration Manager.